registry  /  @quintinshaw/pi-dynamic-workflows  /  2.12.0

@quintinshaw/pi-dynamic-workflows@2.12.0

Claude-Code-style dynamic workflows for Pi — fan a task out across 100s of subagents with real model routing, token/cost accounting, resume, git-worktree isolation, an interactive /workflows TUI, and a real /deep-research.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. At Pi extension runtime, the package registers workflow tools, commands, UI hooks, optional web research, and user-requested git worktree isolation. No install-time execution or unconsented mutation of another agent control surface was found.

Static reason
No blocking static signals were detected.
Trigger
Loading the Pi extension and invoking workflow/research features during a session.
Impact
A user or agent granted these tools can make HTTP requests and create/remove isolated git worktrees; no covert exfiltration or persistence chain is established.
Mechanism
Pi extension registration with workflow scripting, arbitrary URL fetch, and optional git worktrees.
Rationale
No concrete malicious behavior was found, but the package installs a runtime AI-agent extension with network and workflow-execution capabilities. Per policy, this merits a non-blocking warning for extension lifecycle risk rather than a block.
Evidence
package.jsonextensions/workflow.tssrc/web-tools.tssrc/workflow.tssrc/worktree.tssrc/workflow-paths.tssrc/workflow-saved.tssrc/agent-registry.ts.pi/workflows.pi/agents.pi/worktrees
Network endpoints1
www.bing.com/search

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `extensions/workflow.ts` registers a Pi extension on `session_start`.
  • `src/web-tools.ts` exposes `web_fetch` for caller-supplied URLs and Bing search.
  • `src/workflow.ts` imports `node:vm` for workflow-script handling.
  • `src/worktree.ts` can invoke `git worktree` when agent isolation is requested.
Evidence against
  • `package.json` has no preinstall/install/postinstall/prepare hook; only `prepublishOnly` builds.
  • No source evidence of environment-variable harvesting or credential exfiltration.
  • No fixed external endpoint beyond `https://www.bing.com/search`; fetch targets are tool inputs.
  • State writes target package-aligned `.pi/workflows` paths; agent definitions are read, not mutated.
  • Git commands use `execFile` with fixed executable and argument arrays.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 65 file(s), 650 KB of source, external domains: www.bing.com

Source & flagged code

4 flagged · loading source
extensions/workflow.tsView file
Published source reference
Medium
Ai Review Evidence

`extensions/workflow.ts` registers a Pi extension on `session_start`.

extensions/workflow.tsView on unpkg
src/web-tools.tsView file
Published source reference
Medium
Ai Review Evidence

`src/web-tools.ts` exposes `web_fetch` for caller-supplied URLs and Bing search.

src/web-tools.tsView on unpkg
src/workflow.tsView file
Published source reference
Medium
Ai Review Evidence

`src/workflow.ts` imports `node:vm` for workflow-script handling.

src/workflow.tsView on unpkg
src/worktree.tsView file
Published source reference
Medium
Ai Review Evidence

`src/worktree.ts` can invoke `git worktree` when agent isolation is requested.

src/worktree.tsView on unpkg

Findings

6 Medium5 Low
MediumNetwork
MediumWildcard Dependency
MediumAi Review Evidenceextensions/workflow.ts
MediumAi Review Evidencesrc/web-tools.ts
MediumAi Review Evidencesrc/workflow.ts
MediumAi Review Evidencesrc/worktree.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings